Share via


Configure FTP Server Authentication

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Internet Information Services (IIS) supports the following File Transfer Protocol (FTP) authentication methods:

  • Anonymous FTP authentication

  • Basic FTP authentication

Available authentication settings must be set at the site level for FTP sites. FTP service is not enabled by default in IIS 6.0.

Important

If you change the security settings for your FTP site or virtual directory, your Web server prompts you for permission to reset the security settings for the child nodes of that site or directory. If you choose to accept these settings, the child nodes inherit the security settings from the parent site or directory.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Iis.msc.

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.

Procedures

Enable Anonymous FTP Authentication

If you select Anonymous FTP authentication to secure FTP resources, all requests for that resource are accepted without prompting the user for a user name or password. For Anonymous authentication, IIS automatically creates a Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running. If you have both Anonymous FTP authentication and Basic FTP authentication enabled, IIS tries to use the Anonymous FTP authentication user account first.

To enable the Anonymous FTP authentication method

  1. In IIS Manager, right-click the FTP site, directory, virtual directory, or file you want to configure, and click Properties.

  2. Click the Security Accounts tab.

  3. Select the Allow anonymous connections check box.

  4. To allow your users to gain access by Anonymous authentication only, select the Allow only anonymous connections check box.

  5. In the User name and Password boxes, enter the Anonymous logon user name and password you want to use, and then click OK

    The user name is the name of the anonymous user account, which is typically designated as **IUSR_**computername.

    Note   If the default **IUSR_**computername account will not be used for Anonymous FTP authentication, you must create a Windows user account appropriate for the authentication method. For more information about creating a new user account, see the procedure Create a Service Account in this section.

  6. Set the appropriate NTFS permissions for the anonymous account.

  7. For more information about setting NTFS permissions, see the procedure Configure NTFS Permissions earlier in this appendix.

Enable Basic FTP Authentication

If you select the Basic FTP authentication method to secure your FTP resources, users must log on with a user name and password corresponding to a valid Windows user account. If the FTP server cannot verify a user's identity, the server returns an error message. Basic FTP authentication provides only low security because the user transmits the user name and password across the network in an unencrypted form.

To enable the Basic FTP authentication method

  1. Create a Windows user account appropriate for the authentication method. If appropriate, add the account to a Windows user group.

    For more information about creating a new user account, see the procedure Create a Service Account earlier in this appendix.

  2. Configure NTFS permissions for the directory or file for which you want to control access.

    For more information about setting NTFS permissions, see the procedure Configure NTFS Permissions earlier in this appendix.

  3. In IIS Manager, right-click the FTP site, directory, virtual directory, or file you want to configure, and click Properties.

  4. Click the Security Accounts tab.

  5. Clear the Allow anonymous connections check box, and then click OK.